On 17/07/19 16:22, Rowland penny via samba wrote:> I don't think there is a 'best way'. This used to come up fairly often > in the early days of Samba AD, I think all you can do is to search in > sam.ldb and remove any mention of the old DC, but DO NOT alter the > files under sam.ldb.d, reading this might help: > > https://lists.samba.org/archive/samba/2014-February/178947.html > > RowlandHi Rownland, The file is is pretty big for our company size - 124k lines when edited. I've spend about an hour carefully removing, editing and skipping entries referencing old dc1. Unfortunately upon saving all my changes were discarded without a warning... root at dc2 /# ldbedit -e vim -H /var/lib/samba/private/sam.ldb --cross-ncs Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered failed to add CN=dns-dc2,CN=Users,DC=example,DC=co,DC=uk - objectclass: 'isCriticalSystemObject' must not be specified! Would it be ok to leave this record as dns-dc1? Or maybe I should do something else? Thanks, Adam
On 18/07/2019 11:18, Adam Weremczuk via samba wrote:> Hi Rownland, > > The file is is pretty big for our company size - 124k lines when edited. > I've spend about an hour carefully removing, editing and skipping > entries referencing old dc1. > Unfortunately upon saving all my changes were discarded without a > warning... > > root at dc2 /# ldbedit -e vim -H /var/lib/samba/private/sam.ldb --cross-ncs > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > failed to add CN=dns-dc2,CN=Users,DC=example,DC=co,DC=uk - > objectclass: 'isCriticalSystemObject' must not be specified! > > Would it be ok to leave this record as dns-dc1? > Or maybe I should do something else? >Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to create it yourself. Easiest way will be to remove all mention of the dead DC, then use 'samba_upgradedns' to upgrade to the internal dns server, then run it again to upgrade to Bind9 again, this will create the required user for you. Rowland
On 18/07/19 11:42, Rowland penny via samba wrote:> Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to > create it yourself. > > Easiest way will be to remove all mention of the dead DC, then use > 'samba_upgradedns' to upgrade to the internal dns server, then run it > again to upgrade to Bind9 again, this will create the required user > for you. > > RowlandI'm not sure if your advice applies. What I'm trying to achieve is to trick dc2 to forget about dc1 so I can demote dc2. Dc1 is not dead, I want it live and well! I'm trying to kill dc2 and make dc1 also forget about it. Makes sense? The entire record ldbedit (on dc2) complains about: # record 4032 dn: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: dns-dc1 description: DNS Service Account for skippy instanceType: 4 whenCreated: 20130810204304.0Z whenChanged: 20130810204304.0Z uSNCreated: 3228 name: dns-dc1 objectGUID: 5daf1211-78c3-45a0-a1c6-ec490451ef71 userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130206409840000000 primaryGroupID: 513 objectSid: S-1-5-21-156202952-582183142-927750060-1186 accountExpires: 9223372036854775807 sAMAccountName: dns-dc1 sAMAccountType: 805306368 servicePrincipalName: DNS/dc1.example.co.uk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=co,DC ?=uk isCriticalSystemObject: TRUE uSNChanged: 3372 distinguishedName: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk All I did was replacing dc1 with dc2. I need to be careful with switching DNS etc. Both dc1 and dc2 currently own all FSMO roles and I already have some problems because of that. Adam